ISP protection can shield employer against staff email, says US court

A Californian court has extended a legal protection designed for internet service providers (ISPs) to employers whose workers commit offences using work email and internet access.

The decision relieves Hewlett-Packard spin-off Agilent of any responsibility for actions carried out by its employees which, though not carried out on behalf of the company, did use the company's infrastructure.

An Agilent employee sent and posted threatening messages directed against employees of another company, Varian, using work-provided email and internet access.

Those people won a court case against the employee and a $1 million award. They then took a case against Agilent, which they have lost.

The protection extended to Agilent by the court is under Section 230 of the Communications Decency Act, which protects companies against liability for the actions of people to whom they provide communications services.

Designed to protect ISPs from liability for the comments and actions of their customers, the section of the Act was made to apply to Agilent. The court found that the company met the definition in the Act of an "interactive computer service", that it provided those services to many users and connected those users to a server and on to the internet. It was, therefore, entitled to protection from the uses to which its users put it, said the court.

Companies are not liable for all the actions of employees, even on company equipment or services, either in the US or the UK. The employee in question was eventually fired for violation of company email policies in relation to the activities that became the subject of the court cases.

In both US and UK law an employer can only be liable if the actions undertaken have some relation to the activities of the company.

"Under UK law an employer will only be liable for the negligent acts of its employees if they are committed in the course of the employment," said Ben Doherty, an employment specialist with Pinsent Masons, the law firm behind OUT-LAW.COM. "Should the employee engage in a 'frolic of his own', the employer will not be liable."

There are some classes of behaviour, though, which an employer can be held responsible for even if it was unrelated to the work of the employer.

"The position is different under the Sex Discrimination Act," said Doherty. "There, an employer may be liable for the acts of an employee unless they are able to demonstrate that they have done everything reasonable to prevent the act of discrimination."

Section 230 of the Communications Decency Act has provoked controversy before. It grants immunity to message board hosts and ISPs in relation to defamation, even after the host or ISP has been notified that a comment or article is defamatory. By contrast, in Europe the host must remove content once it has been shown to be defamatory.